I read this on Ars the other day and i thought i would re-post the information here as it seems like a pretty big exploit:

"A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this."

This is the scariest part: "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

I'm using Chrome and it's quite easy to set up so that you need to click to allow java to run on each site. I haven't uninstalled it yet, but i'm not going to be allowing it to run until an update comes out.

Wouldn't that be awesome if flash and java go away and never come back and get replaced with something more reliable and less buggy...

Click to expand...

Java itself is a great idea, but it has terrible security flaws.

in the last two years I have helped about a dozen friends and family members where, through a Java exploit, their computers were completely locked down, usually with programs that acted like anti-virus and wanted you to purchase their program to remove the virus that it in itself caused.

These exploits are very serious and renders a computer useless, I am almost surprised Java hasn't been sued or gotten into some kind of trouble for this. The process to remove this malware is usually quite extensive, and varies from one instance to another.

I am almost surprised Java hasn't been sued or gotten into some kind of trouble for this.

Click to expand...

EULA. Gotta love the things you agree to when you install software.

Oracle said:

5. LIMITATION OF LIABILITY. IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR DATA USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF ORACLE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ORACLE'S ENTIRE LIABILITY FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED ONE THOUSAND DOLLARS (U.S. $1,000).

Click to expand...

In other words, they're not liable and if the courts disagree they attempt to impose a maximum limit of 1,000 USD. That's all disputable in court, but you (or whoever installed it,) did agree to if you're using Java or have it installed. This really says if Java itself sans any code that Java executes damages your machine, then you might have grounds to sue but other than that, good luck.

In other words, they're not liable and if the courts disagree they attempt to impose a maximum limit of 1,000 USD. That's all disputable in court, but you (or whoever installed it,) did agree to if you're using Java or have it installed. This really says if Java itself sans any code that Java executes damages your machine, then you might have grounds to sue but other than that, good luck.

Click to expand...

Doesnt pretty much all software has similiar clauses in the EULAs? If i made software i would have one.

I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases some applications written on java work faster than others but in many other cases java apps are much slower.
Not sure but I think c/c++ and .net could handle it all.

I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases some applications written on java work faster than others but in many other cases java apps are much slower.
Not sure but I think c/c++ and .net could handle it all.

Click to expand...

Java is slower in almost all cases. People use Java because of easier portability, and the fact that Java has many of their own libraries that are also portable.

I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases some applications written on java work faster than others but in many other cases java apps are much slower.
Not sure but I think c/c++ and .net could handle it all.

Click to expand...

Java byte code will run on any machine that has implemented the JVM. Therefore you can write one application with one code base and have it work on multiple platforms. C/C++ libraries differ from OS to OS so code written in C/C++ for one platform may not work in another because the core libraries may be different or behave differently or not exist at all.

Java is good if your intent is to hit the largest audience you can. Newer ARM processors have Jazelle as well, which allows java byte code run in hardware as a third execution mode. So it doesn't have to be slow, it's just slow because of how its implemented. Java can be made to run fast and a lot of the time it does.

This is good actually. Holes like this exist for just about everything. They're traded in very tight circles with people highly motivated to keep them secret. If someone gets a hold of one and wants to make a quick buck selling it instead of exploiting it then it's pretty much the end of that exploit. It will get identified and patched.

Honestly the best possible way to root out these long standing exploits in browsers/flash/java is to offer rewards for those exploits. Big ones.

FireEye researchers have uncovered yet another zero-day vulnerability in Java, and attackers are currently exploiting it in the wild. The security flaw, if triggered, leads to arbitrary memory read-and-write. The security flaws are in Java v.1.6 Update 41 and the latest Java v1.7 Update 15, which was just released Feb. 19

This Security Alert addresses security issues CVE-2013-1493 (US-CERT VU#688246) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.